What is the minimum version of code that I need to run in order to support my FWSM, Intrusion Detection system Module 2 (IDSM2), and VPN Service Module (VPNSM)?

The appropriate version of code depends on the type of Supervisor Module in your 6500 or 7600 chassis, as well as the type of software you run (Cat OS or Cisco IOS). See this table for specific code versions for your module and Multilayer Switch Feature Card (MSFC).

Since the FWSM automatically compiles access lists into hardware after 10 seconds of
inactivity at the CLI, there is no need for turbo access lists. FWSM version 2.1 offers the
additional functionality of being able to nominate when the access lists are compiled.

Does the FWSM support the IOS Open Shortest Path First (OSPF) auto−cost reference−bandwidth command?

No. The FWSM is not aware of the physical ports connected to it. OSPF cost must be
configured manually for each interface with the ospf cost command.

Can I run Open Shortest Path First (OSPF) protocol in a topology where two different interfaces of the FWSM connect to the same network?

Yes. This functionality is supported in versions 2.1 and later.

Can I terminate VPN connections on my FWSM?

VPN functionality is not supported on the FWSM. Termination of VPN connections is the
responsibility of the switch and/or VPN Services Module

Are there any limitations in the implementation of multicast in FWSM?

Yes. FWSM does not support 232.x.x.x subnet as a group name, as it has been already
reserved for Security Services Module (SSM).

Does FWSM support multiple shared interfaces?

FWSM does not support multiple shared interfaces, but instead you can have one VLAN
across multiple contexts. Refer to Sharing Resources and Interfaces Between Contexts for
more information

Why am I unable to ping my FWSM on a directly connected interface?

By default, each interface denies Internet Control Message Protocol (ICMP). Use the icmp
command to allow this traffic to the interface.

Can I configure failover between two FWSMs that run different versions of code?

No. Failover requires that both FWSMs run the same version of code. A mechanism within the failover feature verifies the peer version and prevents failover if the versions of code are
different. For this reason, you must upgrade both FWSMs at the same time.

Can I configure failover between two FWSMs in different chassis?

A. Yes. But the FWSMs must be connected by Layer 2 on all interfaces. In other words, all
interfaces must be able to exchange Layer 2 broadcast packets [Address Resolution Protocol
(ARP), and so forth] with each other. Failover protocol packets cannot be routed at Layer 3.

I have set up failover between two FWSMs, but they are not syncing. What could be the problem?

Ensure that your configuration meets these requirements for successful failover.

Both FWSMs must run the same version of code.

Both FWSMs must have the same number of VLANs.

A Layer 2 connection must exist between all VLANs on the FWSMs. If the FWSMs exist in different chassis with a trunk configured between them, verify that all
VLANs exist and are allowed on the trunk.